Deploy a Business Connectivity Services hybrid solution in SharePoint 2013

Summary: Learn how to configure the Business Connectivity Services (BCS) hybrid scenario to access on-premises data through SharePoint Online.

This article is part of a roadmap of procedures for configuring SharePoint hybrid solutions. Be sure you're following a roadmap when you do the procedures in this article.

The Microsoft Business Connectivity Services (BCS) hybrid deployment scenario allows you to securely publish on-premises data to an external list or app for SharePoint in SharePoint Online. From there, users can view and edit the data, depending on the permissions that they have.

In this scenario, you will learn how to:

Configure your on-premises environment so that you can securely publish confidential business data to your SharePoint Online tenancy.

Create and configure an OData service endpoint and an external content type with Visual Studio 2012.

Prepare your SharePoint Online tenancy to host an app for SharePoint or an external list, which makes the external data available to your extranet users.

Create a connection settings object that tells Business Connectivity Services in SharePoint Online how to connect to the on-premises OData service endpoint.

Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

BCS is a centralized infrastructure in SharePoint Server 2013, Office 2013, and SharePoint Online that enables you to integrate data that is not in SharePoint products or Office 2013 into SharePoint products. BCS implementations take many forms. This includes this hybrid form that uses SharePoint Online and SharePoint 2013 on-premises. These procedures show how to install and configure BCS to integrate data from an on-premises OData service endpoint into SharePoint Online. For this scenario, we use the AdventureWorks sample SQL database and create an OData service head for the database. The solution looks as shown in the following diagram.

Figure: Hybrid BCS solution

An information worker logs on to SharePoint Online by using their federated account and opens an app for SharePoint or external list that needs data from an on-premises OData data source.

The external list creates a request for the data and sends it to Business Connectivity Services. Business Connectivity Services looks at the connection settings object to see how to connect to the data source and which credentials to use.

Business Connectivity Services retrieves two sets of credentials:

The Secure Channel certificate from Secure Store in SharePoint Online. This is used for SharePoint Online authentication to the reverse proxy.

An OAuth token from the Azure AD Service. This is used for user authentication to the SharePoint 2013 on-premises farm. You gain access to the Azure AD service with your SharePoint Online subscription. It is a security token service that manages security tokens for users of SharePoint Online.

Business Connectivity Services sends an HTTPS request to the published endpoint for the data source. The request includes the client certificate from Secure Store, the OAuth token, and a request for the data. The reverse proxy authenticates the request by using the client certificate and forwards it to the on-premises SharePoint 2013 farm. For more information about publishing SharePoint to the Internet, see SharePoint publishing solution guide in the Forefront Technical Library.

The on-premises farm retrieves the user’s cloud identity from the OAuth token (for example, user123@contoso.com), and through the Client Side Object Model (CSOM) code, maps it to the on-premises identity (for example, contoso\user123). The on-premises credentials are mapped to credentials that have access to the external data via a Secure Store target application.

The on-premises Business Connectivity Services forwards the request to the OData Service endpoint. The OData Service authenticates the request (via IIS) and returns the data, which is passed back through the chain to the external list for the user to work with.

The steps to completely deploy this scenario are presented in smaller procedures. Some of the procedures are on TechNet, some are on Office.com, and some are on MSDN. Each procedure is numbered indicating its position in the overall sequence. At the beginning and end of each procedure, links direct you to the previous and following steps. The following list contains links to all of the procedures, in the required order, for your reference. Be aware that this list includes the steps to deploy an external list and an app for SharePoint. You can deploy one or the other or both, depending on your needs. You should skip the steps for whichever configuration you don’t want to deploy. You must follow them in sequence to build out the scenario. You can also use these procedures individually for your own unique scenarios. When you assemble individual procedures to build out your own scenarios, it is important that you test the complete set of procedures, in order, in a lab setting before you try them in production.